Federal Agencies Still Lag On FISMA Compliance

Half the 24 agencies reviewed by their own inspector generals last year slipped in compliance with the Federal Information Security Management Act. Only 7 achieved more than 90% compliance in areas such as security training and contingency planning.

(click image for larger view)

Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters

Despite the Obama administration's focus on cybersecurity, agencies still are not fully meeting the cybersecurity requirements of the Federal Information Security Management Act (FISMA), according to a recently released report.

Although agencies are making progress on implementing a new FISMA reporting requirement mandated by the feds in 2011, compliance with FISMA slipped for more than half of 24 agencies reviewed in a recent Office of Management and Budget (OMB) report.

The OMB asked inspector generals of the agencies to assess IT security programs in 11 areas, including risk management, configuration management, security training, contingency planning and identity and access management.

Only seven of the 24 agencies achieved more than 90% compliance with FISMA requirements for these areas, with the National Science Foundation (NSF) topping the list with 98.8% compliance. However, even that was a very slight slip from last year, when the NSF achieved 98.9% FISMA compliance, according to the OMB report.

Other agencies at the top of the list in compliance are the Social Security Administration (96.9%), the Environmental Protection Agency (94.9%), the Nuclear Regulatory Commission (94.8%), the Department of Homeland Security (DHS) (93.4%), NASA (92.9%), and the Department of Justice (91.2%). Still, the SSA, EPA, and NRC all achieved lower compliance scores from last year, when they were 100%, 99.2% and 96.7% compliant, respectively.

Eight agencies achieved 66% or higher compliance with FISMA, while nine achieved 65% or less. The Department of Transportation (44.2%), Department of Interior (44.2%) and Department of Agriculture (32.5%) were at the bottom of the list. The Department of Defense was not included in the OMB report, as it did not provide enough detail for FISMA compliance scoring, according to the report.

Despite overall low compliance numbers, there were some bright spots in the report. In 2011, the feds mandated that agencies begin reporting security data to an online compliance tool called Cyberscope.

More than 75% of the agencies reviewed have successfully demonstrated that they can provide automated data feeds to Cyberscope, a significant increase over the 17% that demonstrated this capability in 2010, according to the OMB's report. The plan is that the DHS will analyze this data to help mitigate risks across agencies going forward.

The report also outlines three priorities the feds have identified for FISMA this year: trusted Internet connections, continuous monitoring, and HSPD-12. The last requires agencies to upgrade their physical and logical access control infrastructure to require HSPD-12 PIV credentials for access to IT systems and facilities.

Agencies are making progress against these priorities, according to the report. In the area of HSPD-12, for example, agencies said that 89% of employees and contractors requiring PIV credentials--or cards to meet the new identity requirements--have received them.

Moreover, 66% of government user accounts are configured to require PIV cards to authenticate to agencies' networks, a figure that's up from 55% in fiscal-year 2010. The report attributes this increase to "several agencies which made significant strides in HSPD-12 implementation," according to the OMB.

How 10 federal agencies are tapping the power of cloud computing--without compromising security. Also in the new, all-digital InformationWeek Government supplement: To judge the success of the OMB's IT reform efforts, we need concrete numbers on cost savings and returns. Download our Cloud In Action issue of InformationWeek Government now. (Free registration required.)